CVE-2022-45690 is a high-severity vulnerability identified as a stack overflow in the org.json.JSONTokener.nextValue method within the hutool-json library version 5.8.10. Hutool-json is a Java-based utility library commonly used for JSON and XML parsing and manipulation. The vulnerability arises when the JSONTokener component processes crafted JSON or XML input data that triggers a stack overflow condition. This overflow occurs due to improper handling of recursive or deeply nested structures, leading to excessive stack consumption. As a result, an attacker can cause a Denial of Service (DoS) by crashing the application or service that relies on this library for parsing JSON or XML data. The vulnerability does not impact confidentiality or integrity directly but severely affects availability by causing application crashes. The CVSS 3.1 base score is 7.5, reflecting a network-exploitable vulnerability that requires no privileges or user interaction, with a high impact on availability. No known public exploits have been reported in the wild, and no official patches or vendor advisories are currently available. The vulnerability is classified under CWE-787 (Out-of-bounds Write), indicating improper memory handling leading to stack corruption. Given the widespread use of JSON processing libraries in enterprise applications, especially in Java-based backend services, this vulnerability poses a significant risk to systems that parse untrusted JSON or XML inputs using hutool-json v5.8.10 or similar versions. Attackers can remotely trigger the DoS by sending maliciously crafted payloads, potentially disrupting critical services or applications that depend on this library for data interchange or API communication.

For European organizations, the primary impact of CVE-2022-45690 is service disruption due to Denial of Service attacks. Enterprises relying on Java-based applications that incorporate hutool-json for JSON or XML parsing are at risk of application crashes when processing maliciously crafted input. This can affect web services, APIs, microservices, and backend systems, leading to downtime, degraded service availability, and potential operational disruptions. Sectors such as finance, healthcare, telecommunications, and public administration, which often use Java-based middleware and data exchange formats like JSON/XML, may experience interruptions impacting business continuity and customer trust. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can indirectly affect compliance with regulations such as GDPR, which mandates service reliability and data protection. Additionally, repeated exploitation attempts could increase operational costs due to incident response and recovery efforts. The lack of authentication or user interaction requirements makes it easier for remote attackers to exploit this vulnerability, increasing the risk surface for exposed services. Organizations with internet-facing APIs or services that parse JSON/XML inputs without adequate input validation are particularly vulnerable.

1. Immediate mitigation involves identifying and isolating systems using hutool-json version 5.8.10 or earlier. Conduct a thorough inventory of Java applications and services to detect usage of this library. 2. Implement input validation and sanitization at the application level to reject or limit deeply nested or excessively large JSON/XML payloads, reducing the risk of stack overflow. 3. Employ runtime protections such as limiting stack size or using security frameworks that detect and prevent stack overflow conditions. 4. Where possible, update or replace hutool-json with a patched or alternative JSON parsing library that addresses this vulnerability. If no official patch is available, consider applying custom patches or workarounds that limit recursion depth in JSONTokener. 5. Deploy Web Application Firewalls (WAFs) or API gateways configured to detect and block anomalous JSON/XML payloads that may trigger the vulnerability. 6. Monitor application logs and network traffic for unusual parsing errors or crashes indicative of exploitation attempts. 7. Establish incident response procedures to quickly remediate and recover from DoS incidents caused by this vulnerability. 8. Engage with software vendors or open-source maintainers for updates or patches and subscribe to security advisories related to hutool-json. 9. Conduct security testing, including fuzzing and penetration testing, focusing on JSON/XML input handling to identify and remediate similar vulnerabilities proactively.